[CRIU] [PATCH] tcp: block connections in both directions
Andrew Vagin
avagin at openvz.org
Tue Aug 6 05:59:14 EDT 2013
The packet can be retransmited after dumping the tcp connect. The first
one is that the connection is blocked for only one direction. The second
one is that TCP timers continue work during dumping and they can send
packets. tcp_timestamp is saved for each tcp connections and then it’s
restored. So if a packet is sent after dumping, its timestamps is
saved by another side and this timestamp is sent back in the next packet
as the tsecr parameter. If this packet is received after restoring, it
looks like a packets from the future.
https://bugzilla.openvz.org/show_bug.cgi?id=2676
Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
netfilter.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/netfilter.c b/netfilter.c
index 663ecf6..59654d7 100644
--- a/netfilter.c
+++ b/netfilter.c
@@ -67,9 +67,22 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
static int nf_connection_switch(struct inet_sk_desc *sk, int lock)
{
- return nf_connection_switch_raw(sk->sd.family,
+ int ret = 0;
+
+ ret = nf_connection_switch_raw(sk->sd.family,
sk->src_addr, sk->src_port,
sk->dst_addr, sk->dst_port, lock);
+ if (ret)
+ return -1;
+
+ ret = nf_connection_switch_raw(sk->sd.family,
+ sk->dst_addr, sk->dst_port,
+ sk->src_addr, sk->src_port, lock);
+ if (ret) /* rollback */
+ nf_connection_switch_raw(sk->sd.family,
+ sk->src_addr, sk->src_port,
+ sk->dst_addr, sk->dst_port, !lock);
+ return ret;
}
int nf_lock_connection(struct inet_sk_desc *sk)
@@ -84,7 +97,18 @@ int nf_unlock_connection(struct inet_sk_desc *sk)
int nf_unlock_connection_info(struct inet_sk_info *si)
{
- return nf_connection_switch_raw(si->ie->family,
+ int ret = 0;
+
+ ret |= nf_connection_switch_raw(si->ie->family,
si->ie->src_addr, si->ie->src_port,
si->ie->dst_addr, si->ie->dst_port, 0);
+ ret |= nf_connection_switch_raw(si->ie->family,
+ si->ie->dst_addr, si->ie->dst_port,
+ si->ie->src_addr, si->ie->src_port, 0);
+ /*
+ * rollback nothing in case of any error,
+ * because nobody checks errors of this function
+ */
+
+ return ret;
}
--
1.8.3.1
More information about the CRIU
mailing list